Last month, we blogged about Patco v. Ocean Bank, where the First Circuit held that the bank may bear the loss of fraudulent ACH transfers because its security procedures were not “commercially reasonable” under the Funds Transfers Act provisions of the UCC. Though the decision left open the question of customer responsibility, for now it belongs in the win column for customers.

But the vast majority of these banking relationships include an agreement where the customer promises to indemnify the bank for a fraudulent wire transfer. It was unclear how these agreements can factor into the analysis–could an indemnity agreement shield a bank from the UCC’s “commercially reasonable” analysis altogether?

A district court for the Western District of Missouri considered this question in Choice Escrow v. BancorpSouth, and held that the UCC provisions preempt indemnity agreements.

Background

Choice Escrow maintained a trust account with BancorpSouth (“BSB”). In March 2010, BSB received a request online to transfer $440,000 out of Choice’s trust account. The third party made the request using Choice Escrow’s login credentials.

Choice Escrow filed claims against BSB under the “Funds Transfers Act” (i.e. the relevant UCC provisions) as adopted by Missouri. BancorpSouth shot back with four counterclaims relating to indemnity agreements signed by Choice Escrow, agreeing to indemnify BSB for any losses, costs, liabilities or expenses.

In a close call, the district court held that these ACH fraud matters are governed specifically by the Funds Transfers Act. Arriving at its decision, the court paid special attention to the intent of the UCC drafters:

On one hand, it seems obvious that the drafters of the UCC wanted banking sector parties to be protected from common law negligence claims and to encourage uniformity and consistency. On the other hand, it seems unlikely that the drafters of the UCC wanted to discourage business entities from freely exercising their rights to contract the terms of their relationships

It’s rare to see a court strike out an agreed-upon contract provision; it’s even more rare when both parties are “sophisticated,” as is the case here. When it happens, it’s always a good idea to look to the policy considerations.

It’s true that these wire fraud cases would be a lot less messy if banks could avoid liability using indemnity clauses. But such “uniformity and consistency” might be unduly harsh on customers if, through these agreements, they were always on the hook regardless of the bank’s actions.

In the same vein, widespread use of indemnity clauses might also reduce banks’ motivations to invest a lot in their security infrastructure–especially if they never had to fear liability for these large sums of money. Of course, the banks would still have an incentive to keep their customers’ accounts safe in an Adam Smith “Invisible Hand” sense, but I think the court doesn’t like any movement in that direction because security from wire fraud is such an important goal. With most of these cases, hundreds of thousands (if not millions) of dollars are at stake.

We still don’t know what (if any) duties the customer has in preventing fraud on their online bank accounts. It’s an important question in this case because the hacker got access through Choice Escrow’s account. The court in Patco recommended further hearings on the issue, so we may just have to wait and see.

[Eric’s comment: although deal lawyers often spend lots of time drafting and negotiating indemnity clauses, there’s widespread suspicion that indemnity clauses rarely work in the field or in court. Another good example here.]